Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.

Details were disclosed on Tuesday by industrial cybersecurity firm Claroty, whose researchers have been looking into ways to achieve native code execution on programmable logic controllers (PLCs).

Siemens PLC hardcoded private keyThe vulnerability is tracked as CVE-2022-38465 and it has been rated ‘critical’. Siemens has announced the availability of fixes for affected PLCs and the TIA Portal in one of its Patch Tuesday advisories.

Siemens has also released a separate security bulletin highlighting the vulnerability. According to the company, in 2013, it introduced asymmetric cryptography into the security architecture of its Simatic S7-1200 and S7-1500 CPUs in an effort to protect devices, customer programs, and communications between devices.

However, due to the lack of practical solutions for dynamic key management and key distribution for industrial control systems (ICS), at the time it decided to use a built-in global private key for protection.

Siemens has confirmed the findings of Claroty researchers, admitting that the cryptographic key is not properly protected. An attacker could launch an offline attack against a single PLC and obtain a private key that can then be used to compromise the entire product line for which the key was obtained.

The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.

Claroty researchers said they obtained the private key by exploiting an arbitrary code execution vulnerability they discovered in 2020 (CVE-2020-15782), which gave them direct memory access. They have shown how an attacker who has the private key could gain full control of a PLC and conduct MitM attacks.

ICS Cyber Security Conference

“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.

The industrial giant has made significant changes to address the issue, with a unique password being set for each device and communications now being protected by TLS 1.3.

The company has released firmware updates, but noted that updating the firmware on a device is not sufficient.

“In addition, the hardware configuration in the TIA Portal project (V17 or later) must also be updated to the corresponding CPU version and downloaded to the PLC,” it told customers.

Related: New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Related: New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Related: Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.